SonicWall recently disclosed a security incident involving its MySonicWall cloud backup service. Unknown threat actors used brute force techniques to access backup “preference” (configuration) files of some SonicWall firewalls stored in the cloud. While credentials inside those files are encrypted, the configuration backups also contain other information that could make it easier to attack or exploit the relevant firewalls. SonicWall estimates fewer than 5% of its firewall install base were impacted. The incident is not believed to be a ransomware event, and SonicWall reports no proof that the accessed files have been leaked publicly.
However, given the recent SonicWall vulnerability (CVE-2024-40766) that has been effectively targeted by ransomware actors, this incident should be taken seriously. We recommend organizations review all SonicWall firewall settings, verify configurations, and ensure devices are updated with the latest patches. Please follow all SonicWall’s published remediation guidance and the instructions below if either this security incident or CVE-2024-40766 apply to your environment.
| Vulnerability Name | Affected Products | Vulnerability Description | Severity | Patch Link |
| MySonicWall Cloud Back File Exposure | SonicWall Firewalls that have their preference files backed up to MySonicWall.com | Backups of firewall configuration (“preference”) files—including network rules, VPN configs, service credentials (encrypted), users/groups info—were accessed via brute-force attacks on the backup service. Because the files include metadata and configuration info, attackers might use that info to exploit related firewall devices. | High | SonicWall Knowledge Base: MySonicWall Cloud Backup File Incident (https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330) |
| CVE-2024-40766 (SSLVPN improper access control) | SonicWall Gen 5 / Gen 6 / Gen 7 firewalls with SSLVPN enabled (if unpatched) | Although not directly part of this backup incident, this vulnerability has been exploited by threat actors to gain initial access to SonicWall devices. It increases overall risk when configuration info is known. | Critical | NVD Entry: CVE-2024-40766 (https://nvd.nist.gov/vuln/detail/CVE-2024-40766) |
Vulnerabilities Details
The incident involves unauthorized access to cloud backups of firewall preference/configuration files stored via SonicWall’s MySonicWall portal. The attackers appear to have used brute force techniques on MySonicWall’s backup API/service. The accessed backups include, beyond encrypted credentials, layout of firewall rules, VPN settings, list of enabled services, serial numbers, possibly user/group settings, NAT and routing configurations, which can be leveraged to plan attacks or misconfigurations. SonicWall reports that fewer than 5% of their firewall customer base had backups that were accessed.
SonicWall is not aware at this time of any leaks of the files, or of threat actors actively exploiting them (beyond having accessed them). The incident is distinct from a ransomware attack though risk remains if configurations are misused.
SonicWall has released a remediation playbook, guidance for checking whether backups exist, whether a given serial number is flagged, and recommendations for credential resets, configuration import (modified), service review, and further security actions.
How the Breach Affects Organizations and Network Security
Organizations whose SonicWall firewalls had cloud backup configuration enabled may have configuration metadata exposed that reduces security posture. Even though credentials are encrypted, attackers may derive information about network topology, service exposure, VPN endpoints, user accounts, and other sensitive data. This can facilitate reconnaissance, lateral movement, and planning future attacks.
If exposed VPN shared keys, administrative service configurations, or remote access services are misconfigured or weak, attackers may attempt decryption attacks or brute forcing.
The exposure risk increases for organizations that have not fully patched related vulnerabilities such as SSLVPN improper access control.
Time and resource costs to audit and reset configuration items, credentials, possibly reinstall/import modified configuration, and mitigation may be substantial.
How Organizations Should Respond
Organizations should act immediately if they are potentially affected. Follow the steps below to determine your organization’s exposure status and reduce your risks.
- Log in to MySonicWall.com.
- Check whether cloud backups are enabled for your registered firewall devices. If backups are not enabled, you are not at risk from this incident.
- If cloud backups are enabled, check under Product Management → Issue List if any of your registered serial numbers are flagged.
- Follow the Containment and Mitigation documentation given by SonicWall found at: https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330
- For CVE-2024-40766, refer to the link below to determine exposure and follow all guidance from SonicWall: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
Conclusion
The SonicWall MySonicWall backup break was a wake-up call for business organizations that employ third-party cloud storage for their crucial configuration files. Even though SonicWall published remediation recommendations as well as reports with no evidence of stolen data, the attack signifies the way that apparently superficial exposures tend to pile up as a serious risk when combined with known vulnerabilities.
Through proactive identity protection enhancement, patching, as well as configuration auditing, organizations can use this attack as an opportunity to improve resilience as well as reduce attack surface.
Cybersecurity is no longer merely preventing ransomware or malware—but acknowledging that every ounce of system intelligence counts. Securely protecting backups and configuration with the same intensity as confidential data is not a choice; it’s a requirement for remaining safe in the cybersecurity environment we live in today.
References
- SonicWall Knowledge Base: MySonicWall Cloud Backup File Incident
- SonicWall Security Advisory Vulnerability List – Sonicos Improper Access Control Vulnerability
- CISA Advisory: SonicWall Releases Advisory for Customers after Security Incident
- MITRE CVE Entry: CVE-2024-40766
- NVD CVE Entry: CVE-2024-40766
